Insights, news, education and announcements from PolySwarm

Mallox Ransomware

Written by The Hivemind | Sep 15, 2023 6:00:19 PM

Related Families: Remcos RAT, Metasploit
Verticals Targeted:  Manufacturing, Retail, Wholesale, Legal, Professional Services

Executive Summary

Mallox, also known as TargetCompany, FARGO, and Tohnichi, is a ransomware family targeting Windows systems, particularly unsecured MS-SQL servers, to compromise victim networks.

Key Takeaways

  • Mallox is a ransomware family targeting Windows systems, including MS-SQL servers, to compromise victim networks.
  • Mallox is exploiting two well-known RCE vulnerabilities in SQL servers, CVE-2020-0618 and CVE-2019-1068, to obtain initial access.
  • Following a series of attacks over the last several months, industry researchers noted the activity appears to indicate the threat actors are expanding their capabilities.

What is Mallox?

Mallox, also known as TargetCompany, FARGO, and Tohnichi, is a ransomware family targeting Windows systems. Active since at least June 2021, Mallox exploits unsecured MS-SQL servers to compromise victim networks.

According to SpearTip, Mallox is exploiting two well-known RCE vulnerabilities in SQL servers, CVE-2020-0618 and CVE-2019-1068, to obtain initial access. The threat actors are known to compromise publicly exposed MS-SQL servers by using dictionary-based brute force attacks to target low-hanging fruit servers with weak credentials. Post compromise, Mallox executes a command line and PowerShell script to retrieve and execute additional scripts and the Mallox payload. The payloads are typically .NET, .EXE, or .DLL files.

Based on earlier industry analysis, it appears most Mallox variants use a combination of AES-128 and ChaCha20 for encryption. While some variants append the .mallox extension to encrypted files, other variants are known to append different file extensions including .FARGO3, .exploit, .avast, .bitenc, and .xollam.

Following a series of attacks over the last several months, industry researchers noted the activity appears to indicate the threat actors are expanding their capabilities. The threat actors are also reportedly recruiting affiliates.

Mallox has evolved its stealth and evasion strategies to remain undetected and maintain persistence. To evade signature-based detection, Mallox employs FUD packers using a method similar to BatCloak obfuscator. Mallox is also using Remcos RAT and Metasploit in its attack chain.

Mallox employs a double extortion method, with the threat actors demanding a ransom payment to decrypt files and leveraging the threat of public release of stolen data. A ransom note is left in every directory on the victim’s machine and victims are given a private key to interact with the threat actor to negotiate payment. At present, Mallox’s victim list includes entities in the manufacturing, retail, wholesale, legal, and professional services verticals, among others.

IOCs

PolySwarm has multiple samples of Mallox.

 

6c743c890151d0719150246382b5e0158e8abc4a29dd4b2f049ce7d313b1a330

B03f94c61528c9f3731a2e8da4975c072c9ed4e5372d3ec6b0939eebe01e54a4

de9d3e17555e91072919dc700dc7e588cd52617debcad2f764ef9c7fbf6c9f7b

ce198296ebb3def9b1c929b3e54072e831e05d993eda48129987ef93d717a7d6

 

You can use the following CLI command to search for all Mallox samples in our portal:

$ polyswarm link list -f Mallox

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports